Security

Handle security incidents in seven steps

Don't allow a security incident to throw your IT department into a panic. Set up a procedure for handling incidents using the seven steps outlined in this article.

This article was originally published in TechRepublic's Security Solutions e-newsletter.


Your possibility of encountering a security incident grows each day. You don't want to wait until you're in the middle of a crisis before you begin to develop a rational plan for handling an attack. Being prepared for an incident is essential to the survival of your network and its resources. Incident handling begins with planning and establishing policies and procedures.

Developing a plan of attack for each type of security incident is crucial to the restoration of normal operation. The most common incident categories are:
  • Elevation of file privileges: A user or guest gains greater privileges.
  • Data alteration: Files are changed by unauthorized users.
  • Data theft: Data is removed from the system.
  • Denial of service (DoS): Legitimate access to the system is denied.

Sometimes an event will span multiple categories. For example, Web site defacement involves elevation of privileges and data alteration.

Essential action
Different events require different responses. However, you should follow these seven steps for every incident.

Step 1: Document everything
When an incident occurs, you need to document any information relating to the security issue. Your documentation doesn't have to be fancy. It can be a Word document with screen shots or notes on a blackboard. The goal is to capture detailed information without destroying or contaminating potential evidence. Before you take further action, verify that you have an incident.

Step 2: Make the appropriate contacts
Depending on the severity of the incident, the first call might be to a service provider or it might be to an internal legal department to start a chain of custody for evidence. For each type of incident, develop a flow chart detailing whom to contact.

Step 3: Contain the incident
Concentrate on limiting the extent of the damage to your network. Determine whether the incident is still in progress and should be monitored or if actions should be taken to stop the activity.

Step 4: Identify the point(s) of failure
Discover how the incident occurred and determine what you should do to ensure the same event isn't repeated.

Step 5: Solve the problem and repair the damage
Implement the solution you've determined is necessary to ensure that the security event doesn't reoccur. This might be as simple as applying an operating system patch or adding a new rule to a firewall or router. After you've plugged the security hole, repair any damage caused by the incident.

Step 6: Increase monitoring
Once a compromised system is restored to operation, continue to monitor for back doors, Trojans, and repeat attempts. Make sure that the cause of the incident has been removed and the system is functioning normally.

Step 7: Learn from the incident
Success yields a persistent hacker. Keep a careful watch for the same hacker to return. Discover exactly what occurred, how it occurred, and what is necessary to ensure that it doesn't happen again.

Final thoughts
Incident handling shouldn't be a reactionary exercise; it should be a logical progression down a predetermined path. Plan well, and handling a network security incident will become a methodical task, rather than a cause for panic.

Editor's Picks

Free Newsletters, In your Inbox